All Projects → advanced-threat-research → Cve 2020 16898

advanced-threat-research / Cve 2020 16898

CVE-2020-16898 (Bad Neighbor) Microsoft Windows TCP/IP Vulnerability Detection Logic and Rule

Programming Languages

lua
6591 projects

Projects that are alternatives of or similar to Cve 2020 16898

Awesome Wsl
Awesome list dedicated to Windows Subsystem for Linux
Stars: ✭ 3,544 (+1612.08%)
Mutual labels:  microsoft, windows-10
Regtweaks
Registry Tweaks for Windows.
Stars: ✭ 675 (+226.09%)
Mutual labels:  microsoft, windows-10
Sharpapp
💩⭐️🚀A #app with cutting edge technology to #minimize windows-10 telemetry and #maximize privacy plus many more
Stars: ✭ 474 (+128.99%)
Mutual labels:  microsoft, windows-10
Cve 2019 1003000 Jenkins Rce Poc
Jenkins RCE Proof-of-Concept: SECURITY-1266 / CVE-2019-1003000 (Script Security), CVE-2019-1003001 (Pipeline: Groovy), CVE-2019-1003002 (Pipeline: Declarative)
Stars: ✭ 270 (+30.43%)
Mutual labels:  cve, rce
Cve 2019 0708 Tool
A social experiment
Stars: ✭ 87 (-57.97%)
Mutual labels:  cve, rce
Penetration testing poc
渗透测试有关的POC、EXP、脚本、提权、小工具等---About penetration-testing python-script poc getshell csrf xss cms php-getshell domainmod-xss penetration-testing-poc csrf-webshell cobub-razor cve rce sql sql-poc poc-exp bypass oa-getshell cve-cms
Stars: ✭ 3,858 (+1763.77%)
Mutual labels:  cve, rce
Pip Tool
PiP tool is a software to use the Picture in Picture mode on Windows. This feature allows you to watch content (video for example) in thumbnail format on the screen while continuing to use any other software on Windows.
Stars: ✭ 572 (+176.33%)
Mutual labels:  microsoft, windows-10
Longhorn
Windows 10 Debloater
Stars: ✭ 18 (-91.3%)
Mutual labels:  microsoft, windows-10
Vulmap
Vulmap 是一款 web 漏洞扫描和验证工具, 可对 webapps 进行漏洞扫描, 并且具备漏洞利用功能
Stars: ✭ 1,079 (+421.26%)
Mutual labels:  cve, rce
Woa Installer Rpi
This repository was deprecated, use:
Stars: ✭ 865 (+317.87%)
Mutual labels:  microsoft, windows-10
windows-Credential-Provider-library
This repository will be updated with all the examples and links that I can find with relevant knowledge & information about CP in MS Windows vista up to version 10.
Stars: ✭ 122 (-41.06%)
Mutual labels:  microsoft, windows-10
Gitlab rce
RCE for old gitlab version <= 11.4.7 & 12.4.0-12.8.1 and LFI for old gitlab versions 10.4 - 12.8.1
Stars: ✭ 104 (-49.76%)
Mutual labels:  cve, rce
Windows-Optimize-Harden-Debloat
Fully Optimize, Harden, and Debloat Windows 10 and Windows 11 Deployments to Windows Best Practices and DoD STIG/SRG Requirements. The ultimate Windows 10 & 11 security and privacy script!
Stars: ✭ 304 (+46.86%)
Mutual labels:  microsoft, windows-10
Awesome
💻 🎉 An awesome & curated list of best applications and tools for Windows.
Stars: ✭ 17,587 (+8396.14%)
Mutual labels:  microsoft, windows-10
PoC-CVE-2021-41773
No description or website provided.
Stars: ✭ 39 (-81.16%)
Mutual labels:  rce, cve
Windows 10
Windows 10 Light theme for Linux (GTK)
Stars: ✭ 562 (+171.5%)
Mutual labels:  microsoft, windows-10
CVE-2021-41773 CVE-2021-42013
Apache HTTP Server 2.4.49, 2.4.50 - Path Traversal & RCE
Stars: ✭ 20 (-90.34%)
Mutual labels:  rce, cve
ISOKIT
Windows 10 Professional - Full Strip & Lockdown Edition
Stars: ✭ 35 (-83.09%)
Mutual labels:  microsoft, windows-10
Debotnet
🔥🚀 Debotnet is a tiny portable tool for controlling Windows 10's many privacy-related settings and keep your personal data private.
Stars: ✭ 707 (+241.55%)
Mutual labels:  microsoft, windows-10
Castle Winbuntu
Homesick Castle for use on WSL.
Stars: ✭ 87 (-57.97%)
Mutual labels:  microsoft, windows-10

CVE-2020-16898: “Bad Neighbor”

CVSS Score: 8.8

CVSS Vector: CVSS3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C

Overview

On October 13, Microsoft announced an exceptionally critical vulnerability in the Windows IPv6 stack, which allows an attacker to send maliciously crafted packets to potentially execute arbitrary code on a remote system. The proof-of-concept shared with MAPP members is both extremely simple and perfectly reliable. It results in an immediate BSOD (Blue Screen of Death), but moreso, indicates the likelihood of exploitation for those who can manage to bypass Windows 10 and Windows Server 2019 mitigations. The effects of an exploit that would grant remote code execution would be widespread and highly impactful, as this is the type of bug that could be made wormable. For ease of reference, we named the vulnerability “Bad Neighbor” because it is located within an ICMPv6 Neighbor Discovery “Protocol”, using the Router Advertisement type.

This document has been prepared by McAfee Advanced Threat Research. It is intended to provide valuable insights for network administrators and security personnel, looking to further understand this vulnerability and to defend against exploitation. The signature produced here should be thoroughly considered and vetted in staging environments prior to being used in production and may benefit from specific tuning to the target deployment.

The information provided herein is subject to change without notice, and is provided "AS IS", with all faults, without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance and for use at your own risk. Additionally, we cannot guarantee any performance or efficacy benchmarks for any signatures.

Signature

The Suricata signature for this vulnerability is located in cve-2020-16898.rules and contains the following logic:

alert icmp any any -> any any (msg:"Potential CVE-2020-16898 Exploit"; lua:cve-2020-16898.lua; sid:202016898; rev:1;)

The corresponding Lua script may be found in cve-2020-16898.lua. It contains the logic necessary to properly parse the ICMPv6 layer and identify potential exploitation of Bad Neighbor, as follows:

Once we've located the start of the ICMPv6 layer, we test the first byte of the layer to ensure that it's a Router Advertisement ICMPv6 packet (Type = 134) - if it isn't, we exit.

Since Suricata primitives have not been updated to parse the ICMPv6 options, we simply jump to the 17th byte of the ICMPv6 layer, since that's where the Options should start, if present (the first 16 bytes are static-length fields, per RFC 4443). From there, we loop over every Option until we run out of bytes in the packet. For each Option, we're only interested in the first two bytes: the Option Type and Length fields, respectively. While we ignore all Options that aren't RDNSS, for Option Type = 25 (RDNSS), we check to see if the Length (second byte in the Option) is an even number. If it is, we flag it. If not, we continue. Since the Length is counted in increments of 8 bytes, we multiply the Length by 8 and jump ahead that many bytes to get to the start of the next Option (subtracting 1 to account for the length byte we've already consumed).

With this rule, we also check to make sure that the Length is at least 3, since RFC 8106 requires it, but ultimately this check may be superfluous, since we're only concerned with whether the Length is even or not.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].